Commit 6d841eaa authored by Timothy Andrew's avatar Timothy Andrew

Authorize user before creating/updating a protected branch.

1. This is a third line of defence (first in the view, second in the
   controller).

2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The
   other alternative is to `include API::Helpers`, but this brings with it
   a number of other methods that might cause conflicts.

3. Return a 403 if authorization fails.
parent 01d190a8
module ProtectedBranches
class BaseService < ::BaseService
include API::Helpers
def initialize(project, current_user, params = {})
super(project, current_user, params)
@allowed_to_push = params[:allowed_to_push]
......@@ -14,7 +12,7 @@ module ProtectedBranches
set_push_access_levels!
end
protected
private
def set_merge_access_levels!
case @allowed_to_merge
......@@ -56,5 +54,14 @@ module ProtectedBranches
'masters'
end
end
protected
def to_boolean(value)
return true if value =~ /^(true|t|yes|y|1|on)$/i
return false if value =~ /^(false|f|no|n|0|off)$/i
nil
end
end
end
......@@ -3,6 +3,8 @@ module ProtectedBranches
attr_reader :protected_branch
def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do
@protected_branch = project.protected_branches.new(name: params[:name])
@protected_branch.save!
......
......@@ -4,12 +4,13 @@ module ProtectedBranches
def initialize(project, current_user, id, params = {})
super(project, current_user, params)
@id = id
@protected_branch = ProtectedBranch.find(id)
end
def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do
@protected_branch = ProtectedBranch.find(@id)
set_access_levels!
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment